UCLA May Enhance Protection Services Following Hack

Following a cyberattack that could affect up to 4.5 million individuals, UCLA Health initially is offering one year of free identity theft protection and restoration services. That may soon change.

If the hack was a criminal act rather than state-sponsored, that significantly would raise the risk of ID theft and the HHS Office for Civil Rights likely would recommend two years of protection services, says David Damato, chief security officer at Tanium, a data network platform vendor. UCLA in announcing the attack called it a criminal act.

In cases where breaches involve significant risk to individuals, the Office for Civil Rights increasingly expects at least two years of protection. Further, UCLA Health, while it appears to have been proactive in trying to prevent this hack, is a breach repeat offender, having in 2011 paid an $865,500 fine and implemented a corrective action plan in a settlement with OCR following a spate of employee snooping incidents.

On the other hand, state-sponsored cyberattacks conducted by nations generally focus on collecting data on individuals in government agencies or working for government contractors to gain political, military or economic intelligence and possibly turn some individuals into informants, notes Damato, who before joining Tanium was a lead investigator in the giant Anthem breach.

Investigations into hacks can be very tricky and problematic, Damato says. UCLA Health in October 2014 detected suspicious activity and determined at that time that no access had been made into parts of the network containing protected health information. By early May 2015, there was evidence of access to parts of the network holding PHI and that the access actually started as early as September 2014.

Just like with all types of evidence, there is a timetable to digital evidence, Damato explains. But data can degrade over time or be overwritten by newer data, so access logs indicating when data was accessed or user accounts seen can have huge gaps.

Organizations can save logs and Damato believes it is likely that UCLA Health took images and pulled information. But an attacker can move around and an organization despite best efforts may not have the proper data to fully scope the environment. The bottom line: It is difficult to do computer forensics and figure out everything an attacker did.

Encryption remains a best practice, Damato says, but in the UCLA situation the attacker was inside the network for several months and found ways around encryption such as finding an encryption key, or accessing data when it was temporarily unencrypted. For instance, credit and debit cards should be encrypted, but when being temporarily unencrypted during processing can become vulnerable.

Encryption is just one of the security layers and there are policy issues in addition to the technology safeguards that all organizations should be reassessing, Damato recommends asking:

* Does an organization know how many devices holding PHI it has, where they are, and if their security is updated?

* Does an organization know what data is the most valuable and could the organization detect different ways attackers could access various databases?

* If a breach occurs, does an organization have all the tools to properly respond?